The SitePoint Forums have moved.

You can now find them here.
This forum is now closed to new posts, but you can browse existing content.
You can find out more information about the move and how to open a new account (if necessary) here.
If you get stuck you can get support by emailing forums@sitepoint.com

If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Security in php forms

I'm setting up a form in some php script that allows a user to add information to a database. It is important to keep the database secure so I was just wondering if it is possible to enter certain text in the form that would allow someone to send sql commands to the database (i.e. enter a php-mysql query to say delete a table) and therefore damage data in the database. Does php allow this or is it secure enough. While I would appreciate any response I would much prefer if someone could point me in the direction of some articles that I could read on this subject... ie php security.

That's an excellent question, and something I've pondered myself a few times. I think PHP's very handy magic-backslashing of quotes adds a decent layer of security (it prevents users from posting a " to end the SQL variable the PHP is generating and follow it with malicious commands) but I'd love to know if there are any good articles out there.

I do know that you can add html tags into forms that get stored on the database and then show up when you access the php script to view the data on the database. You can add some stuff that will really mess up the way it is viewed including infinite popups, images, java etc etc. That means parsing for html tags but what I'm wondering is if you can add actual php code so that you modify the database itself. I don't think you can.... thankgoodness

actualy, there are ways through php, that are used to check for html and things similar to what your are talking about. its called "form validation" what it does, is the screipt is told what to look out for from the input, and modifies anything that could be damaging

I'm pretty sure that when using the mysql_query() function, it will allow only one sql query to be executed. That was my experience from some testing I did on the matter. I would be interested to know of a conflicting opinion on that. I know that other *cough* *gASP* *wheeze* languages are not so secure in this way and that the trick there is to make sure that you enclose all your user input in quote marks so that malicious data does not get executed by the sql server.

Also, of course add_slashes should be used before inserting data into the db and reversed with strip_slashes when retrieving data from the db.

BTW, on a related not, I have written some scripts recently (yet to be deployed) that include a check of the value of $HTTP_REFERER as part of the validation (trying to ensure that the POST data has come from the form in the page from my server - if you know what I mean). Anyway, I've read that this might not work because some proxy servers don't send the HTTP_REFERER header. If this is so, then that is a problem! Does this mean I should abandon this method and use sessions instead?

freakysid, in reponse to your last paragraph, I was wondering about that recently also. I am concerned about the security of a "tell a friend" script I had developed. I wanted to make sure that all of the form data actually came from the form, and it seems impossible to tell.

I had an idea though. In the form, you can place an INPUT type="hidden" with a value of the sum of the current time() added to a constant. When validating form input, you'd subtract the constant from this field, and see whether the current time is within a minute or so of this. It would prevent somebody from copying down the number and adding it to their script. Unfortunately, someone with determination would soon realise it was related to current time.

PHP is a very loose language, but this flexability comes at the price of poor security if the proper preventive measures aren't taken. Check out my sig if you think your application needs a security evaluation... ;-)